Metasploit Researcher II



Product & Engineering

The Metasploit R+D team is responsible for working with the open-source contributors to add new modules and features to Framework, and for producing research that excites and inspires the security community. Earlier this year, we released MSF 5 after a long pause between major versions. Now, we're thinking about the content and capabilities offensive operators need in MSF 6—from new exploits and innovative payloads to more intuitive targeting and stealthier movement within modern environments. 

We're hiring a security researcher to develop high-quality modules, iterate on Framework features, and work on research that captures imaginations and inspires contributions from the security community. This role is based in Rapid7's Austin, TX office. 

Metasploit Team Opportunities

Help Rapid7 and the Metasploit community work together toward a shared vision for the future of Metasploit Framework and its ecosystem. You will work with a talented team to develop new modules and payloads for Framework, produce research on trends that pique interest from both offensive and defensive practitioners, and make substantial technical contributions to a global engineering product team. 

Desired Technical Skills

  • Demonstrable experience developing standalone PoCs or Metasploit modules.

  • Knowledge of Metasploit Framework. You understand what it's for and how to use it. Experience in penetration testing, red teaming, mobile security, or security research is highly desirable, as is familiarity with the tooling and techniques used to advance these disciplines.

  • Experience with Ruby, Python, or Go is a major plus; while Ruby is not necessarily important as your primary language, it is necessary to be able to understand and extend the techniques that Metasploit embodies. 

  • Interest in vuln analysis, fuzzing, reverse engineering, and/or advanced exploitation techniques; hands-on familiarity with tools such as WinDBG, GDB, Wireshark, IDA Pro, Burp Suite, Ghidra, etc.

  • Experience with modern network topologies and application deployment platforms such as AWS, Azure, Kubernetes, and Docker is a major plus. 

  • Conversant in distributed and open-source project development. You can review, merge, and rebase with aplomb.

Soft Skills (just as important as technical skills)

  • As a security researcher, you'll bring and hone an instinct for when something belongs in Framework (technique, PoC, enhancement), how to best incorporate it (integration, module, library), and how to turn development trends into public-facing research that excites the community and showcases your technical skills. Show us how you connect dots and spot patterns.

  • Great communication skills, a “pick up a shovel” mentality, and an appetite for knowledge-sharing. Curiosity is king! It's even better if you share it with teammates.

  • Ability to learn and dig into code. The Metasploit Framework code base is large and was contributed by hundreds of developers. Not everything is spelled out, but everything is discoverable. Enthusiasm for code spelunking is a prerequisite for success.

  • Ability to learn and evaluate new technologies quickly. You're comfortable with and excited about experimentation and uncertainty. 

  • Ability to work asynchronously and directly with a team of co-workers and volunteers from around the globe. 

  • Passion for Metasploit, open-source development, and community interaction. 

Ideally, you have a body of work you can point to that showcases your research and development interests. Have you published blogs or technical analysis of vulnerabilities, exploits, or techniques that interest you? Written purpose-built tools that made your life easier? Contributed to open-source projects? Show us what you're passionate about, where your curiosity lies, and how you've pulled things together to solve problems for yourself and others.